Google issues patch to fix Android's ClientLogin data leaks

Google has announced it's starting to roll out a server-side patch for a security vulnerability in 99% of Android phones that could have allowed someone to snoop on an unencrypted Wi-Fi network and access calendar and contact data. The fix requires no action from users and will be deployed globally over the next few days.

The existence of a flaw was first suggested back in February in a blog post by Rice University professor Dan Wallach, who noted that several native Android applications don't use SSL encryption to protect their network traffic. But it was only late last week that German researchers devised a proof-of-concept attack to demonstrate the vulnerability.

The hole stems from a flaw in Google's ClientLogin authentication protocol, which is designed to allow applications to trade a user's credentials for an authentication token that identifies the user to the service. If the token is passed through an unencrypted request, it could potentially be intercepted by an attacker and used to access a user's web-based calendars, their contacts and apparently also the Picasa photo storage and sharing service.

The latest release of Android for smartphones (2.3.4) and tablets (3.0) are not affected by this issue, but since more than 99% of Android device owners are still using older versions Google saw fit to expedite a fix.

Basically, the fix forces all Android devices to connect to Google Calendar and Contacts servers over HTTPS so that authentication tokens won't be susceptible to eavesdropping when transmitted over an unprotected wireless network. Google is reportedly still investigating whether or not Picasa is vulnerable as well.